An investigation into the origins of financial Trojan Carbanak has revealed alleged connections to a Russian cybersecurity firm.
Carbanak is a sophisticated Trojan which is used in campaigns against banks, e-payment systems and financial institutions worldwide. Once a system is compromised — usually through spear phishing or poor network defense — the malware spreads and tracks down admin consoles before spying on them to capture and record staff making financial transactions.
Armed with this information, the Carbanak threat group then mimic staff and transfer cash fraudulently. According to Kaspersky, the Trojan has been responsible for the theft of at least $1 billion in recent years.
On Monday, security expert Brian Krebs revealed in a blog post that researcher Ron Guilmette has found some interesting commonalities between website registration records for sites known to host the malware and a Russian security company.
The websites, including records weekend-service.com and coral-travel.com, are established and known sources for Carbanak infection. The WHOIS records all contained the same phone numbers and fax details for a company in China. At least 484 domains were registered using these details.
However, on further investigation, the researchers realized that there are a few domains registered with the same Chinese phone numbers but do not serve Carbanak. One of these domains, cubehost.biz, was registered to 28-year-old Artem Tveritinov of Perm, Russia in 2013.
The website is dormant, but according to Krebs, appears to be the sister property to Russian cybersecurity firm Infocube (or “InfoKube”), which is also registered to Tveritinov. Infocube’s website claims that the firm provides IT and cloud security solutions for businesses, including software, audits and data centre design.
The oldest WHOIS record for the website contains an email address Krebs was able to link to Tveritinov, called the CEO of “Infocub” in a press release.
Infocube’s partnership page claimed to have partners in industry figures including Kaspersky and ESET. The former admitted Infocube was a “very minor partner,” while ESET told Krebs that Infocube has never been so.
Krebs reached out to Tveritinov with these findings using the linked email address, and as they were communicating, Tveritinov wiped clean his social media profile which contained the email address and then denied any link to cubehost.biz, instead claiming that his information had been stolen to register the domain.
“Our company never did anything illegal, and conducts all activities according to the laws of Russian Federation,” Tveritinov said. “Also, it’s quite stupid to use our own personal data to register domains to be used for crimes, as [we are] specialists in the information security field.”
However, it also appears that Infocube runs a number of web domains through PIN Ltd., well-known for unsavoury online registrations.
It is unknown if the Carbanak threat group is still active. Last month, Russian police arrested 50 people allegedly tied to the distribution of the financial Trojan.